Brazil’s Climb Onto the World Stage Sparks Cyber Risks – Source: www.databreachtoday.com

Cybercrime
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Cyber Spies, Extortionists and Domestic Crooks All Vie to Hack Brazil

Akshaya Asokan (asokan_akshaya) •
June 12, 2024    

Brazil’s growing profile on the world stage comes freighted with cyberthreats from abroad and a thriving criminal ecosystem from within, warns Google.

The fifth-most-populous country in the world, Brazil has long been a superpower in waiting. It holds presidency of the G20 forum this year, and next year it will assume leadership of the newly enlarged BRICS intergovernmental forum of developing countries, which it originally founded with Russia, India and China, and later South Africa. Brazil is the largest Latin American recipient of Chinese investment.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Growing prominence in global politics and a thriving digital payment economy have resulted in cyberespionage from abroad and the attention of extortion gangs who – despite a heavy emphasis on North American and Europe – have also made Brazil a focus. Brazil is the second-most-targeted country of ransomware-as-a-service group RansomHub, based on listings on its leak site, Google’s Threat Analysis Group said Wednesday in a blog post co-authored with Mandiant.

“As Brazil’s influence grows, so does its digital footprint, making it an increasingly attractive target for cyberthreats originating from both global and domestic actors,” the blog post says. “At the same time, the threat landscape in Brazil is shaped by a domestic cybercriminal market.”

That includes mainly Brazilian Portuguese-speaking hackers, who are carrying out account takeovers, carding fraud, financial data exfiltration using banking malware, and ransomware across Latin America.

Among those groups is an actor that Mandiant tracks as UNC5176 and that threat intelligence suspects of being based in Brazil. It uses a backdoor dubbed Ursa typically delivered as an archive attachment to phishing emails.

Another group, tracked as Pineapple, often poses as Brazil’s tax agency, Receita Federal do Brasil, in spam campaigns. The campaigns often spoof a legitimate agency email address – receita@gov.br – in a bid to have victims install the Astaroth info stealer.
“In one recent campaign blocked by Gmail, Pineapple’s spam emails impersonated Brazil’s finance ministry and directed recipients to a social engineering page that mimicked the Brazilian government’s electronic tax document system (Portal da Nota Fiscal Eletrônica),” Google said.

The phishing site coaxed users into clicking a button to supposedly view an electronic tax document that led to a .lnk Windows shortcut file on an attacker-controlled infrastructure. Likely to evade detection, Pineapple has used legitimate services, including the Google Cloud Run managed compute platform, to host the malicious .lnk file.

Unlike their Russian-speaking counterparts, who rely on criminal forums to buy and sell malware, Brazilian actors tend to rely on social media and instant messaging apps, particularly Telegram and WhatsApp, Mandiant said.

State cyberespionage actors with an interest in Brazil include groups from Russia, China and North Korea – although Russian activity appears to have scaled back considerably since the Kremlin launched a war of conquest against Ukraine in February 2022.

Google and Mandiant telemetry shows 15 separate Beijing cyberespionage groups targeting users in Brazil, together accounting for more than “40% of government-backed phishing activity targeting Brazil.”

North Korea accounts for approximately one-third of government-backed phishing activity targeting Brazil, and Pyongyang threat actors are showing interest in government agencies and aerospace, technology, and financial services sectors. “Cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies,” Mandiant said.